Universities Vulnerable to ID Thieves

(Los Angeles) Universities have become attractive targets for hackers who are taking advantage of the openness of the schools' networks, their decentralized security and the personal information they keep on millions of young adults. A major database breach at the University of California, Los Angeles that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks, security experts said.

Universities account for more than 50 data breaches on a list of more than 300 so far this year as tracked by the Privacy Rights Clearinghouse. Hackers have broken into computer systems at Georgetown University, Ohio University, the University of Alaska and Western Illinois University, among others.

"They are a major category, if not the major category," Clearinghouse director Beth Givens said.

The UCLA breach was discovered Nov. 21 when the university noticed a hacker was fishing through the database specifically for names and Social Security numbers. Officials said the hacks date back to at least October 2005.

University officials say that only a small number of records containing Social Security numbers were accessed, probably less than 5 percent of the 800,000 total records. The university notified the FBI, which has launched a probe into the incident.

Hackers also might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said last week. The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.

In both cases, school officials stress there is no indication that any of the information has been used to obtain phony credit cards or commit identity-theft crimes.

One reason university databases make such attractive targets is that Social Security numbers are routinely used to identify students.

"It is about time that Social Security numbers receive more protection or that they no longer be used for identifying individuals within the university system," Givens said.

UCLA no longer uses Social Security numbers to identify students, according to Jim Davis, the university's chief information officer.

In addition, the school has tightened security by requiring that all computers connecting to its networks be inspected and have the latest antivirus software and other security programs installed.

Computers used for administrative purposes have even tougher security software installed that allows for central monitoring and updating of security software.

Davis said the university tries to balance the need for libraries and other research facilities to have more open access to data with the need to keep sensitive information concentrated and secure.

"We are striving very hard to strike exactly the right balance, recognizing we do need to protect information," he said. "But we don't want to undercut the way the university works in regards to open communications."

Universities also need to communicate freely with other educational institutions and the public to foster research.

"On the academic side, we want people to see what we do and who we are, within limits," said David Farber, professor of Computer Science and Public Policy in the School of Computer Science at Carnegie Mellon University.

Universities do take seriously, however, the need to separate sensitive personal data from academic data that is more open, Farber said.

"On the administration side of the house, they are running a business and should behave like a business," he said.

Tougher penalties for data breaches also need to be enacted, said Robert Brownstone, an attorney at the Silicon Valley law firm Fenwick & West LLP.

Despite several attempts, there is no strong federal law mandating that universities notify everyone whose information has been compromised due to security breaches. Laws in 33 states vary in notification requirements placed on universities and corporations.

Notification is not enough, Brownstone said. Tough financial penalties also need to be included in future legislation.

"It's kind of a backward stick," Brownstone said. "Theoretically, it would make a company want to take tougher security measures. But if the only real penalty is you have to send a notice out, even that strong statute is deficient."

Credit card numbers, Social Security numbers, dates of birth and other items of personal information can be sold on the black market and used to make illegal online purchases. Young adults, with their usually blank credit histories, make ideal targets for identity theft.

The UCLA and University of Texas breaches are among the latest involving universities, financial institutions, private companies and government agencies.

This spring, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni and employees _ including the president. About 173,000 Social Security numbers may have been stolen since March 2005, along with names, birth dates, medical records and home addresses.

In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.